From 8f8c22b8295538e7b15d0b62b5b571be4ced9033 Mon Sep 17 00:00:00 2001
From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Date: Fri, 11 Mar 2022 22:48:15 +0000
Subject: [PATCH] Pin actions by SHA and set permissions for workflow

- Pinned dependencies https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Restricting permissions for github actions https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
---
 .github/workflows/on-tag.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/on-tag.yml b/.github/workflows/on-tag.yml
index a7a9929d9..da30f0641 100644
--- a/.github/workflows/on-tag.yml
+++ b/.github/workflows/on-tag.yml
@@ -11,6 +11,9 @@ on:
       - v[0-9]+.[0-9]+.[0-9]+
       - v[0-9]+.[0-9]+.[0-9]+-*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -35,24 +38,24 @@ jobs:
         run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
 
       - name: Checkout project
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Init repo for Dockerization
         run: docker/init.sh "$TAG"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1
         id: qemu
 
       - name: Setup Docker buildx action
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
         id: buildx
 
       - name: Available platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
 
       - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@661fd3eb7f2f20d8c7c84bc2b0509efd7a826628 # v2
         id: cache
         with:
           path: /tmp/.buildx-cache